Directory Traversal

Overview nitropack is a Build and Deploy Universal JavaScript Servers Affected versions of this package are vulnerable to Directory Traversal via the routeRules function. An attacker can access files or endpoints outside the intended proxy scope by sending specially crafted URLs containing...

axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization

A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not correctly handle hostname normalization when evaluating NOPROXY rules. An attacker can exploit this by crafting requests to loopback addresses e.g., localhost. or ::1 which bypass the NOPROXY...

SUSE CVE-2025-62718

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NOPROXY rules. Requests to loopback addresses like localhost. with a trailing dot or ::1 IPv6 literal skip NOPROXY matching and go...

EUVD-2025-209381

Axios has a NOPROXY Hostname Normalization Bypass Leads to SSRF...

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS due to a bypass of the rate limiter, by forging proxy headers. An attacker can send unlimited traffic to the site. Note: See this documentation, if the IP address of a remote proxy needs to be authorized. Workaroun...

Password Pusher rate limiter can be bypassed by forging proxy headers

Impact Password Pusher comes with a configurable rate limiter. In versions prior to v1.49.0, the rate limiter could be bypassed by forging proxy headers allowing bad actors to send unlimited traffic to the site potentially causing a denial of service. Patches In v1.49.0, a fix was implemented to...

PrivateBin Security Vulnerability

PrivateBin is a minimalist open source online pastebin from the PrivateBin project. A security vulnerability exists in PrivateBin versions prior to 1.7.4 that stems from exposing authentication tokens to the public without authentication, allowing anyone to break through restrictions imposed by a...

CVE-2023-47641

Aiohttp is susceptible to an HTTP request smuggling vulnerability due to inadequate parsing of the HTTP Content-Length CL and Transfer-Encoding TE headers. This flaw allows an attacker to bypass proxy rules, poisoning sockets to other users, such as passing Authentication Headers. Additionally, i...

HTTP Request Smuggling

aiohttp is vulnerable to HTTP Request Smuggling. The vulnerability exists due to an inconsistent interpretation of the Content-Length CL and Transfer-Encoding TE headers in httpparser.py, which can be exploited to bypass proxy rules, poison sockets, and potentially redirect users to malicious...

PYSEC-2023-247

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-LengthCL and Transfer-EncodingTE header...

httpd: HTTP request splitting with mod_rewrite and mod_proxy

A vulnerability was found in httpd. This security issue occurs when some modproxy configurations on Apache HTTP Server allow an HTTP Request Smuggling attack. Configurations are affected when modproxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern...

Reproxy - Simple Edge Server / Reverse Proxy

Reproxy is a simple edge HTTPs server / reverse proxy supporting various providers docker, static, file. One or more providers supply information about requested server, requested url, destination url and health check url. Distributed as a single binary or as a docker container. Automatic SSL...

Burp Suite Professional v1.6 - The leading toolkit for web application security testing

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security...

Apple QuickTime RTSP Content-Type header stack buffer overflow

Overview Apple QuickTime contains a stack buffer overflow vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial-of-service condition. Description Real Time Streaming Protocol RTSP is a protocol that is used by streaming media systems. The Appl...